Question to the Department for Education:

To ask the Secretary of State for Education, what steps her Department is taking to ensure schools are protected from cyber criminals seeking to access their data.

Schools rely heavily on IT and online services to function. These services hold large amounts of sensitive personal data on pupils, parents, and staff and further information which needs to be kept safe and secure. Schools are directly responsible for their own levels of security and data protection, and need to ensure they have the appropriate security protections in place in order to safeguard their systems, data, staff, and pupils.

To help with improving cyber security across the sector, in October 2022 the Department released Cyber Security Standards, which can be found here: https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/cyber-security-standards-for-schools-and-colleges. These standards provide a base level requirement for good cyber security practices in schools, helping to raise resilience across the sector and make schools a harder target for malicious attacks. Many of the areas suggested for improvement are low cost, or free to implement.

Cyber cover is now included in the Department’s Risk Protection Arrangement (RPA) scheme and available to all member schools who have met the following four key pre-defined requirements for this cover:

• Have offline backups. National Cyber Security Centre (NCSC) help and guidance on backing up is available and ideally follow the 3-2-1 rule explained in the NCSC blog Offline backups in an online world, which can be accessed here: https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world.
• Have completed NCSC Training for all employees and governors who have access to the member’s IT system by the 31 May 2022 or the start of the membership year, whichever is later.
• Register with Police CyberAlarm from 1 March 2022.
• Have a cyber response plan in place. A template has been available to download from the RPA members portal since 1 March 2022.

The Department continues to work closely with stakeholders, including the Joint Information Systems Committee and the NCSC to identify incidents and conduct threat trend analysis to monitor and identify emerging cyber threats posed to the sector at the hands of cyber criminals.

The main vulnerabilities that the Department recognises schools may face, are from phishing emails and compromised remote access credentials. Schools can increase their resilience in these areas with cyber security training for school staff from the NCSC which can be found here: https://www.ncsc.gov.uk/information/cyber-security-training-schools, and by introducing Multi-factor Authentication (MFA) to devices logging into the network remotely. The NCSC Active Cyber Defence tools are now available to all schools. These assist in protecting schools from a range of attacks. Further help for schools from the NCSC can be found on their website which can be accessed here: https://www.ncsc.gov.uk/section/education-skills/schools.

In the event of a cyber attack, the Department has a sector facing cyber security team who can provide advice and guidance to assist with recovery. To report an incident and receive support schools can contact sector.incidentreporting@education.gov.uk. Schools are also encouraged to report all cyber incidents to Action Fraud via their reporting site here: https://www.actionfraud.police.uk/.